Microsoft disclosed a critical authentication bypass vulnerability in Azure Bastion, its managed remote access service, enabling attackers to escalate privileges to administrative levels with a single network request.
The vulnerability, designated CVE-2025-49752, affects all Azure Bastion deployments and received an emergency security patch on November 20, 2025.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-49752 |
| Vulnerability Type | Authentication Bypass / Elevation of Privilege |
| CWE Classification | CWE-294 (Authentication Bypass by Capture-Replay) |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network |
The vulnerability undermines these protections by allowing remote privilege escalation without prior authentication or user interaction.
Technical Details and Exploitation Risk
CVE-2025-49752 exploits authentication capture-replay techniques, a well-established attack pattern where valid credentials or authentication tokens are intercepted and replayed to gain unauthorized access.
The vulnerability achieves a maximum CVSS score of 10.0, indicating it can be exploited remotely over the network from any location without requiring special privileges or user assistance.
The critical nature of this vulnerability stems from its network-accessible exploitation pathway.
An attacker can bypass Azure Bastion’s authentication mechanisms entirely and assume administrative privileges, potentially accessing all virtual machines reachable through the compromised Bastion host.
This represents a complete compromise of the Bastion service’s security architecture.
Microsoft has not disclosed detailed technical specifications, proof-of-concept code, or attack methods as of November 20, 2025.
Security researchers have not documented active exploitation in production environments, though this does not diminish the urgency of patching affected systems.
All organizations using Azure Bastion should apply Microsoft’s security update without delay. The patch was released on November 20, 2025, and deployment should be prioritized as a critical security incident.
System administrators should verify that all Azure Bastion instances have received the update and monitor logs for suspicious authentication attempts or unusual administrative access patterns.
Consider implementing additional network segmentation and access controls while deployments are being patched.
Organizations should also audit recent administrative access logs to determine if the vulnerability was exploited before patches were applied.
If unauthorized access is detected, immediate incident response procedures should be initiated.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.